PSCS Wiki

User Tools

Site Tools

Trace: How to make VPOP3 re-download POP3 messages from the ISP VPOP3 Deleting messages as 'old' messages Data stream contained NUL character Some PCs cannot access VPOP3 when VPOP3 is connected to the Internet Out of Disk Space When Sending Mail
how_to:seeing_where_a_message_came_from

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
how_to:seeing_where_a_message_came_from [2011/10/21 08:57] – created paulhow_to:seeing_where_a_message_came_from [2018/11/14 10:45] (current) – external edit 127.0.0.1
Line 5: Line 5:
  
 The most important headers are those beginning with ''Received''. Each mail server which handles the message will add its own ''Received'' trace header to the start of the message. So, to see the passage of the message through time you have to find the lowest ''Received'' line in the headers, and work upwards. The most important headers are those beginning with ''Received''. Each mail server which handles the message will add its own ''Received'' trace header to the start of the message. So, to see the passage of the message through time you have to find the lowest ''Received'' line in the headers, and work upwards.
 +
 +=====Example=====
 +This is an example of some full headers
 +
 +<code>Return-Path: <a.user@example.com>
 +Received: from mail.example.com ([127.221.14.44]) by lmail.pscs.co.uk ([217.155.61.13] running VPOP3) with ESMTP for <support@pscs.co.uk>; Thu, 20 Oct 2011 09:36:35 +0100
 +Received: by example.com (Postfix) for support@pscs.co.uk; Thu, 20 Oct 2011 04:36:27 -0400
 +Received: from [192.168.1.101] ([127.31.11.95]) by example.com (Postfix) with ESMTP id 891688127.17872.3016; Thu, 20 Oct 2011 04:36:25 -0400
 +Message-ID: <4E9FDD90.3080001@example.com>
 +Date: Thu, 20 Oct 2011 04:36:32 -0400
 +From: Alex User <a.user@example.com>
 +User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
 +MIME-Version: 1.0
 +To: Paul Smith <support@pscs.co.uk>
 +Subject: Re: This is a message
 +Content-Type: text/plain; charset=UTF-8; format=flowed
 +Content-Transfer-Encoding: 7bit
 +X-VPOP3-ORIGRCPT: paul@pscs.co.uk</code>
 +
 +This has three ''Received'' lines. In order of occurring they are:
 +
 +  - Received: from [192.168.1.101] ([127.31.11.95]) by example.com (Postfix) with ESMTP id 891688127.17872.3016; Thu, 20 Oct 2011 04:36:25 -0400
 +  - Received: by example.com (Postfix) for support@pscs.co.uk; Thu, 20 Oct 2011 04:36:27 -0400
 +  - Received: from mail.example.com ([127.221.14.44]) by lmail.pscs.co.uk ([217.155.61.13] running VPOP3) with ESMTP for <support@pscs.co.uk>; Thu, 20 Oct 2011 09:36:35 +0100
 +
 +In fact, the first two of these are probably together, so just one server at the sender's end. The last line is the local mail server receiving the message from the sender's server.
 +
 +In this case, the only information we can totally trust is that added by the local server. The remote server may not be well behaved, and may have added misleading information. So, what we know for definite is that the message came from a server at '127.221.14.44' which was called 'mail.example.com'. It arrived at our server at 9:36:35 (in the GMT+1hr timezone - or BST in this case).
 +
 +If we know the sender's server, or are in contact with them, the other ''Received'' lines may help there as well. So, from those lines we can tell that the message reached the sender's server at 4:36:25 (in the GMT-4hrs timezone) - this is just 10 seconds before it arrived at our local server. The **127.31.11.95** address in the first ''Received'' line is the IP address of the sender as the first mail server saw it. The **192.168.1.101** is what the sending software was calling itself.
 +
 +See [[http://tools.ietf.org/html/rfc5321#section-4.4|Section 4.4 of RFC 5321]] for details on the ''Received'' header line format. Note that as this line is not intended to be parsed by a computer the recommended format is not always strictly used, so a bit of intelligence is required when reading it.
 +
 +Note that the ''Received'' line times are based on the relevant server's computer clock, so may not be accurate, so don't panic if a message appears to time travel. However, most server clocks are accurate within a few seconds.
 +
 +
 +=====SMTP Authentication=====
  
 If the message came from your local VPOP3 and you use SMTP authentication, you can also check the ''X-Authenticated-Sender'' header line, which shows which user logged in to send the message. (Note that if the passwords are weak, someone may have guessed their password and be using their account without their knowledge) If the message came from your local VPOP3 and you use SMTP authentication, you can also check the ''X-Authenticated-Sender'' header line, which shows which user logged in to send the message. (Note that if the passwords are weak, someone may have guessed their password and be using their account without their knowledge)
 +
 +If the message came from a remote server, there may be similar authentication header lines, but there is no standard for those, and they could have been forged or changed since the message was originally sent, so should not be trusted 100%.
how_to/seeing_where_a_message_came_from.1319187479.txt.gz · Last modified: 2018/11/14 10:44 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki